Checklist: Implementing a Secure DNS Configuration

Published: October 7, 2009

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

To reduce the chances of an attacker being able to compromise the integrity of your DNS infrastructure, it is important to ensure that DNS servers are configured with best practices for DNS security. This checklist provides links to important concepts and procedures you can use to implement a secure DNS configuration.

Note

When a reference link takes you to a conceptual topic or to a subordinate checklist, return to this topic after you review the conceptual topic or you complete the tasks in the subordinate checklist so that you can proceed with the remaining tasks in this checklist.

Checklist: Implementing a secure DNS configuration

Task

Reference

Determine which DNS security threats are most significant to your environment, and determine the level of security that is required.

For the DNS servers in your network that are exposed to the Internet, if zone transfer must be enabled, restrict DNS zone transfers to either DNS servers identified in the zone by name server (NS) resource records or to specific DNS servers in your network. If zone transfers are not required then disable this setting.

When you configure the socket pool, the DNS server will pick a random source port from a pool of sockets that it opens when the service starts. This provides additional protection against cache poisoning attacks.

If the server running the DNS Server service is a multihomed computer, restrict the DNS Server service to listen only on the interface IP address that is used by its DNS clients and internal servers. For example, a server acting as proxy server may have two network adapters, one for the intranet and one for the Internet. If that server is also running the DNS Server service, you can configure the service to listen for DNS traffic only on the IP address that the intranet network adapter uses.

If you have a private, internal DNS namespace, configure the root hints on your internal DNS servers to point only to the DNS servers that host your internal root domain and not the DNS servers that host the Internet root domain.

Disable recursion on all DNS servers that do not require it. A DNS server requires recursion only if it is configured with a forwarder, or if it must resolve domain names for which it is not authoritative or are not cached.

Ensure that default server options that secure the caches of all DNS servers against names pollution have not changed. Names pollution occurs when DNS query responses contain nonauthoritative or malicious data.